The Trouble With Smartphone Kill Switches

To fight smartphone theft, public officials tell smartphone makers to add remote-deactivation, tracking and recovery features. But manufacturers may not do the job right.

Authorities are looking to handset manufacturers to implement smartphone "kill switches" that are designed to make the devices unattractive to thieves and recoverable for owners. But given their track record, there is no guarantee that smartphone makers will implement the right technology for the job.

"We need the industry to take this issue seriously and come up with a technical solution that can squash the illegal smartphone market that is fuelling this crime," London mayor Boris Johnson said last week.

Smartphone crime is a public safety issue, with police in many cities reporting a related rise in crime: London police say they see 10,000 smartphone thefts per month. In 2012, half of all robberies in San Francisco targeted a smartphone, while in New York City last year, the figure was 40%, according to statistics supplied by "Secure Our Smartphones," a program launched earlier this year by New York State Attorney General Eric Schneiderman and San Francisco District Attorney George Gascon, and recently joined by London.

All told, Consumer Reports estimates that 1.6 million Americans were victims of phone theft last year.

High-end smartphones are expensive to buy and lucrative to resell. Some models reportedly fetch up to $1,200 each in Hong Kong. Many phones ultimately end up in Africa and Asia, where they're wiped and rolled out on new cellular networks, according to law enforcement experts. Even if the devices are still running tracking software, you can kiss them goodbye.

Accordingly, Gascon has redirected his attention to handset manufacturers. But can many smartphone manufacturers be relied on to build a kill switch that's good enough to enable devices to be recovered, yet tough enough to withstand hack attacks? Consider the Android add-on software and skins added by so many handset manufacturers to their devices. Bloatware is the charitable word for such software, which too often poses a security risk because add-ons can introduce entirely new, exploitable vulnerabilities.

Of course, some smartphones already sport remote-kill features, such as such as the new Android Device Manager from Google, or the "wipe your iPhone" (or iPad) feature built into iOS devices. But they're more of a convenience than a theft-prevention feature. "Apple's switch renders the phone inoperable, but you have no way of getting it back," says Stephen Midgley, VP of marketing for Absolute Software, in an interview. Absolute has long made laptop-recovery software that uses software agents installed in device firmware.

"If the phone is stolen, you may be able to track it using 'find my phone' functionality, but we certainly don't recommend that consumers try to recover their own device," he says. "So being able to use a kill switch to remotely wipe or brick the device, but also recover the device, is of equal importance to either find the person who did it and make them accountable, or provide that information to police, so they can then take action."

To be viable, recovery software must involve some sort of persistent tracking technology installed on devices. That happens to be the type of software agent used by Absolute's Lojack for Mobile Devices software, which costs $30 per year to use, and so far is only available on Samsung Galaxy S4 devices, for which it's built into the device's firmware. Midgley said that approach is essential for making the tracker tough to find or delete, thus bettering the odds that it will remain running if the device gets stolen and helping the company's dedicated recovery team. Even if the phone does move to a part of the world where getting it back would be difficult, the location information may still be of use to law enforcement agencies amassing intelligence on the criminal gangs involved.

Samsung is doubling down on Absolute's recovery software, which will also feature in Samsung Knox. Due out later this year, Knox aims to give enterprises a more secure version of Android for business use, including secure boot, plus application containers to separate business apps from consumer apps.

Bolstering the tracking and recovery services built into smartphones stands to benefit both businesses and consumers. Still, what's to prevent enterprising hackers from using recovery or remote-wipe tools to forcibly deactivate or delete numerous Android devices in one go? That's an open question. "For solutions that use applications to control the phone's hardware, there is always a risk" that the app may draw the attention of hackers, or be used to access or wipe the data it's meant to protect, Jim Butterworth, CSO of technology security firm HBGary, tells me via email. "But an app can and should be created with controls to login and operate the app itself, as well as being limited in code to only the functions it requires in order to work."

In other words, handset manufacturers that build their own recovery tools must employ secure coding practices and extensive testing to ensure that add-on security apps can't be hacked, but instead can only be accessed by an approved recovery provider -- or perhaps the subscriber's carrier. Likewise, they'll need to have any recovery software they put on the devices tested to ensure that would-be attackers can't simply erase the software from the device or flash the firmware, before sending the phone to its new life overseas.

Alternately, handset manufacturers can tap third-party software vendors and recovery services. Given many handset manufacturers' previous, poor track record when it comes to developing their Android add-ons, let's hope that -- with the possible exception of Apple and Google, which excel at building their own software -- manufacturers tap a third-party information security specialist. If you value your phone, and chances of recovering any device that gets stolen, that's the best blueprint for building in kill switches, zappers or whatever technology may help deter theft.

To be certain you'd killed the phone, you'd probably need to make it self destruct, frying the circuits Mission Impossible style. Then you'd probably have misfires where phones are blowing up for no good reason.

Lots to think about in this article. Seems like the perfect mix of hacker-proof location tracking and remote wipe capability is still out of reach. Leaving it to a third-party app is risky because it's too easy for a hacker to infiltrate the app, and same goes for manufacturers baking kill-switch tech into the hardware. No easy answer. Manufacturers have to make mobile security a priority. In the meantime, password protect your phones people!

I think the key is ubiquitousness and prioritizing the "brick" part of the "brick it and recover it" equation. Once thieves believe the chances are 90% or better that a stolen phone will be unusable even in Asia, the problem will abate. At that point, recovery becomes moot.

Agreed. And by brick, you have to completely fry the whole phone. If you just fry the SOC, cell radio or flash memory, there will still be a market for "chop shops" that resell the display, battery, buttons, switches and enclosure.Of course the problem with truly frying it (i.e. short-circuit the battery and melt the innards) is the risk of fire and personal injury -- to both legitimate owners and criminals. Yes, criminals. I guarantee you that the first criminal that gets burned will find an ambulance chasing lawyer and quickly go public and go loud. Of course they will be an extremely economically disadvantaged teenager that was only stealing so they could buy medications for their terminally ill mother and/or feed their younger siblings.

There really isn't a clear solution out there for tracking and security phone software. Even if they develop apps that have the capability to track phones remotely and are unable to be wiped out by whoever took it, there is also the task of recovering it. From what I've seen it really isn't too easy to have law enforcement officers take phone recovery seriously when most of them are already over worked and busy with more pressing matters.

Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.

Worries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?